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SYSTEM AND MFTHOnj2]L^ NnTNrT ANP RECEIVINGSECURE 
DATA WITH A SHARED KEY 



Lynn D. Spraggs 
BACKGROUND OF THE INVENTION 

1. Field of the invention 

The present invention relates generally to computer security and 
more specifically to allow the secure transfer and receipt of data between 
computers. 

2. Description of the Prior Art 

In order to securely transfer data between computers on the 
Internet, various different types of encryption/ decryption methods are 
used. One way of securely transferring data over the Internet includes 
the use of a public key/private key system. 

A public key is provided by some designated authority as a key 
that, combined with a private key derived from the public key, can be 
used to effectively encrypt and decrypt messages and digital signatures. 

In public key cryptography, a public and private key are created 
simultaneously using the same algorithm (a popular one is known as 
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RSA) by a certificate authority. The private key is given only to the 
requesting party and the public key is made publicly available (as part of 
a digital certificate) in a directory that all parties can access. The private 
key is never shared with anyone or sent across the Internet. The private 
key is used to decrypt text that has been encrypted with the public key 
counterpart by someone else who has the public key. 

Public key cryptography generally requires a large mathematical 
decomposition in order to work effectively. Generally, the length of a 
private key is in the order of 64 bytes. Decomposing these relatively 
small private keys requires considerable computational power. Public 
key cryptography is generally used as a one-way encryption and if a 
private key is chainged, then everyone else that has the public key 
counterpart must receive a new public key. 

Thus, it would be desirable to provide a system and method of 
securing data that is easy to use, does not require a public/private key, 
allows for a larger private key for more security, uses less computation 
power than public key cryptography, and can be used in two directions. 
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SUMMARY OF THE INVENTION 

A system and method is provided for sending and receiving secure 
data. The data is secured by encrypting and decrypting the data with a 
5 key that is shared between authorized users and the server computer. 
As the server computer receives a user's encrypted data, the server 
computer decrypts the data using the user's shared key stored in a 
database on the server. The server computer can then process the data 
according to the user's instructions, this could include securely storing 
10 the data for retrieval by another user, processing the data, and/or 

securely sending the data to a second user by encrypting the data with 
the second user's shared key. 
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B RIEF DESCRIPTION OF THE DRAWINGS 

The present invention may be better understood, and its numerous 
objects, features, and advantages made apparent to those skilled in the 
art by referencing the accompanying illustrations. For simplicity and 
ease of understanding, common numbering of elements is employed 
where an element is the same in different illustrations. 

FIG. 1 is a schematic diagram illustrating a sending client 
transmitting seciire data through a server to a receiving client over the 
Internet, in accordance with the present invention; 

FIG. 2 is a block diagram of the server computer shown in FIG. 1 , 
in accordance with the present invention; 

FIG. 3 is a block diagram of one embodiment of the non-volatile 
memory module located within the server computer of FIG. 2; and 

FIG. 4 is a block diagram of the client computers shown in FIG. 1 , 
in accordance with the present invention; 



WO 00/22773 



PCT/US99/24142 



FIG. 5 is a block diagram of one embodiment of the non-volatile 
memory module located within the client computers of FIG. 4; 

FIG. 6 is a flowchart of a method illustrating how a sending client, 
having a shared private key, passes encrypted data to a server computer, 
according to the invention; 

FIG. 7 is a flowchart of a method illustrating how a receiving client, 
having a shared private key, requests secure data from a server 
computer, in accordance with the invention; and 

FIG. 8 is a flowchart of a method illustrating how a client, having a 
shared private key, passes secure data through a server computer. 
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DETAILED DESCRIPTION OF THE INVENTION 



The following is a detailed description of illustrative embodiments 
of the present invention. As these embodiments of the present invention 
are described with reference to the aforementioned illustrations, various 
modifications or adaptations of the methods and or specific structures 
described may become apparent to those skilled in the art. All such 
modifications, adaptations, or variations that rely upon the teachings of 
the present invention, and through which these teachings have advanced 
the art, are considered to be within the spirit and scope of the present 
invention. Hence, these descriptions and drawings should not be 
considered in a limiting sense, as it is understood that the present 
invention is in no way limited to only the embodiments illustrated. 

Referring now to FIG. 1, a schematic diagram illustrates a server 
100 used to receive encrypted data from a sending client computer 102 
and transmit encrypted data to a receiving client computer 104 through 
the Internet 106 using shared private keys. The sending client 102 and 
receiving client 104 share their own private key with the server 100, but 
do not share their private key with anyone else. 

FIG. 2 is a block diagram of the server computer 100 shown in 
FIG. 1. Server 100 includes a CPU 202, a RAM 204, a non-volatile 
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memory 206, an input device 208, a display 210, and an Internet 
interface 212 for providing access to the Internet. 

FIG. 3 is a block diagram of one embodiment of the non-volatile 
memory module 206 located within the server computer 100 of FIG. 2. 

5 The non-volatile memory 206 includes a private server key 302, a 

database of user private keys 304, an encrypt/ decrypt engine 306, a web 
server engine 308 containing web page forms 310, and a secure data 
database 312 for storing encrypted data. The private server key 302 is 
known only to the server and is not shared with anyone. The database of 

10 user private keys 304 includes the private keys of registered users. Each 
private key of a registered user is shared only with the server and not 
with other users. 

The encrypt/decrypt engine 306 is programmed to encrypt and 
decrypt data using a password or a key. Excellent results can be 

15 obtained when using the blowfish algorithm for encryption and 
decryption. Other types of symmetric key encryption/ decryption 
algorithms can also be employed within the encrypt/decrypt engine 306. 
The computation power required to encrypt and decrypt data using a 
single key is much less than the computational power required in a 

20 public/private key system, therefore longer keys can be used to provide 
an extremely high-level of security. 
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FIG. 4 is a block diagram of a sending client computer 102 or a 
receiving client computer 104 shown in FIG. 1. Client 102, 104 includes 
a CPU 402, a RAM 404, a non-volatile memory 406, an input device 408, 
a display 410, and an Internet interface 412 for providing access to the 
5 Internet. 

FIG. 5 is a block diagram of one embodiment of the non-volatile 
memory module 404 located within the clients 102, 104 of FIG. 4. The 
non-volatile memory 406 includes an encrypt/ decrypt engine 502 for 
encrypting and decrypting data. The encrypt/decrypt engine 502 can 

10 also be stored in RAM 404. Excellent results can be obtained when the 
encrypt/ decrypt engine is served up as a Java™ applet to the clients 
102, 104. The Java™ applet can be served up with a web page from an 
email sent to the clients 102, 104, and then stored on their hard drive. 
FIG. 6 is a flowchart of a method illustrating how a sending client, 

15 with a shared private key, passes encrypted data to a server computer 
through the Internet in accordance with the invention. The process 
begins at step 600. The sending client establishes a session over the 
Internet with a suitable server by requesting a web page from the server 
computer at step 602. At step 604 the server sends a web page form 

20 from the web page forms database 310 to the sending client. Next at 

step 606 the sending client enters data into the web page along with the 
user's private key. At step 608 the data is encrypted with the 
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enciypt/deciypt engine at the sending client's computer using the user's 
private key and then sent to the server. 

At step 610 the server receives the sending client's data and 
decrypts the data with the user's private key that is stored in the user 
5 private keys database 304. Then at step 612 the server re-encrypts the 
data using the server key 302. At step 614 the server stores the re- 
encrypted data in the secure data database 312 and at step 616 the 
process ends. 

FIG. 7 is a flowchart of a method illustrating how a receiving client, 
10 having a shared private key, accesses encrypted data from the server 
computer through the Internet in accordance with the invention. The 
process begins at step 700. The receiving client establishes a session 
over the Internet with a suitable server by requesting the encrypted data 
from the server computer at step 702. At step 704 the server retrieves 
15 the encrypted data from the secure data database 312. At step 706 the 
server decrypts the data using the server key 302. Then at step 708 the 
server encrypts the data using the receiving client's private key that is 
stored in the user private keys database 304, and sends the encrypted 
data to the receiving client. 
20 At step 710, the receiving client enters his private key, and at step 

712 the encrypted data is decrypted with the receiving client's private key 
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using the enciypt/decrypt engine 502. At step 714 the receiving client 
can access or view the data, and at step 716 the process ends. 

FIG. 8 is a flowchart of a method illustrating how a client, having a 
shared private key, passes secure data through a server computer over 
5 the Internet. This method is very similar to the process described in 

FIGS. 6 and 7. The process begins at step 800. A client having a private 
key shared with the server establishes a session over the Internet with 
the server by requesting a web page at step 802. At step 804 the server 
sends a web page form from the web page forms database 310 to the 

10 client. Next at step 806 the client enters data into the web page along 
with his private key shared with the server. At step 808 the data is 
encrypted with the encrypt/ decrypt engine at the client's computer using 
the user's private key and then sent to the server. 

At step 810 the server receives the sending client's data and 

15 decrypts the data with the user's private key that is stored in the user 
private keys database 304. Then at step 812 the server processes the 
data. This processing step can include many different types of 
applications including, but not limited to, storing data, calculating data, 
entering a stock transaction, verifying a credit card transaction, etc. 

20 After the processing step is completed, at step 814 the server 

encrypts the processed data using the client's private key that is stored 
in the user private keys database 304 and sends the encrypted data to 
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the client. It is not necessary for the client to be the same client that 
began the process at step 802. The server can be used as an 
intermediary for passing and processing secure data between clients. 

At step 816, the client receives the secure data and enters his 
private key. At step 818 the encrypted processed data is decrypted with 
the client's private key using the encrypt/decrypt engine 502. At step 
820 the client can access or view the data, and at step 822 the process 
ends. 

Various modifications can be made to the above described methods 
in order to provide a secure system and method of sending and receiving 
secure data with a shared key. This can be done in low-level and high- 
level security methods. For example, if a first user wanted to send a 
highly secure memo to a second person over the Internet using a screen- 
level encryption, the first user could write the memo at his computer, 
encrypt the memo and send it as an email through a server to the second 
user. The second user could then decrypt the email with his password 
and view the memo on his computer screen. The application used to 
decrypt and display the memo on the computer screen can be 
programmed so that the memo cannot ever be in a decrypted state in any 
file on the computer, including temporary files, but only programmed to 
display the decrypted memo on a computer screen. The application 
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could be resident on the user's computer, or it can be deployed as a 
Java™ applet. 
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I Claim: 

1 1 . A system for receiving and transmitting secure data on a server 

2 computer using a shared key, comprising: 

3 an encrypt/ decrypt engine for encrypting and decrypting data 

4 using the shared key; 

5 a database of user shared keys for encrypting and decrypting 

6 data for a specific user. 

1 2. The system of claim 1 , further including a secure data database 

2 for storing encrypted data, and a private server key for encrypting and 

3 decrypting data stored on the server. 

1 3. The system of claim 1, wherein the encrypt/ decrypt engine uses 

2 a symmetric key encryption/ decryption algorithm for encrypting and 

3 decrypting data. 

1 4. The system of claim 1, further including a web server engine 

2 programmed to allow a user to send data securely using the 

3 encrypt/decrypt engine. 

1 5. The system of claim 1, further including a web server engine 

2 programmed to allow a user to receive secure data using the 

3 encrypt/ decrypt engine. 
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1 6. A method for receiving secure data on a server computer using a 

2 shared key, comprising the steps of: 

3 receiving data on the server computer from a user, wherein the 

4 data is encrypted with a user's key shared between the user and the 

5 server computer; 

6 decrypting the data with the user's key into decrypted data; and 

7 processing the decrypted data. 

1 7. The method of claim 6, wherein processing the decrypted data 

2 includes the steps of: 

3 encrypting the decrypted data with a private server key; and 

4 storing the encrypted data in a database. 

1 8. The method of claim 7, wherein processing the decrypted data 

2 further includes the steps of: 

3 decrypting the encrypted data with the private server key; 

4 encrypting the data with a second user's key shared between 

5 the second user and the server computer; and 

6 sending the encrypted data to the second user. 
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1 9. The method of claim 8, wherein the encrypted data send to the 

2 second user can only be viewed on a computer screen by the second 

3 user. 



1 10. The method of claim 6, wherein processing the decrypted data 

2 further includes the steps of: 

3 processing the data according to the user's instructions into 

4 processed data; 

5 encrypting the processed data using the user's shared key; and 

6 sending the encrypted processed data to the user. 

1 11. A computer-readable medium comprising program instructions 

2 for receiving secure data on a server computer using a shared key, 

3 comprising the steps of: 

4 receiving data on the server computer from a user, wherein the 

5 data is encrypted with a user's key shared between the user and the 

6 server computer; 

7 decrypting the data with the user's key into decrypted data; and 

8 processing the decrypted data. 
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1 12. The computer-readable medium of claim 1 1 , wherein processing 

2 the decrypted data includes the steps of: 

3 encrypting the decrypted data with a private server key; and 

4 storing the encrypted data in a database. 

1 13. The computer-readable medium of claim 12, wherein processing 

2 the decrypted data farther includes the steps of: 

3 decrypting the encrypted data with the private server key; 

4 encrypting the data with a second user's key shared between 

5 the second user and the server computer; and 

6 sending the encrypted data to the second user. 

1 14. The computer-readable medium of claim 11, wherein processing 

2 the decrypted data further includes the steps of: 

3 processing the data according to the user's instructions into 

4 processed data; 

5 encrypting the processed data using the user's shared key; and 

6 sending the encrypted processed data to the user. 
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ATTORNEY'S DOCKET NO.: PA1065US 
DECLARATION AND POWER OF ATTORNEY FOR PATENT APPLICATION 



As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name, 

I believe I am the original, first and sole inventor of the subject matter which is claimed and for 
which a patent is sought on the invention entitled "System and Method of Sending and 
Receiving Secure Data with a Shared Key," the specification of which (check one): 

| | is attached hereto. 

|X | was filed on October 14. 1999 

as U.S. Application No. 

or PCT International Application No. PCT/US99/24142 

and was amended on (if applicable). 

I hereby state that I have reviewed and understand the contents of the above-identified 
specification, including the claims, as amended by any amendment specifically referred to 
above. 

I acknowledge the duty to disclose information which is material to patentability as defined in 
Title 37, Code of Federal Regulations, §1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code § 1 19(a)-(d) or 
§365(b) of any foreign application(s) for patent or inventor's certificate, or §365(a) of any PCT 
International application which designated at least one country other than the United States, 
listed below and have also identified below any foreign application for patent or inventor's 
certificate, or PCT International application, having a filing date before that of the application on 
which priority is claimed. 

Prior Foreign Application^) Priority Claimed 

u u 

(Number) (Country) (Day/Month/Year filed) Yes No 



. u u 

(Number) (Country) (Day/Morith/Y ear filed) Yes No 



I hereby claim the benefit under Title 35, United States Code §1 19(e) of any United States 
provisional applications) listed below. 



(Application Number) (Filing Date) 



(Application Number) (Filing Date) 

I hereby claim the benefit under Title 35, United States Code §120 of any United States 
application(s), or §365(c) of any PCT International application designating the United States, 
listed below and, insofar as the subject matter of each of the claims of this application is not 
disclosed in the prior United States or PCT International application in the manner provided by 
the first paragraph of Title 35, United States Code §1 12, 1 acknowledge the duty to disclose 
information which is material to patentability as defined in Title 37, Code of Federal 
Regulations, §1.56 which became available between the filing date of the prior application and 
the national or PCT International filing date of this application. 

PCT/US99/24142 October 14, 1999 Pending 

(Application Number) (Filing Date) (Status — patented, pending, abandoned) 



(Application Number) (Filing Date) (Status — patented, pending, abandoned) 



POWER OF ATTORNEY: I hereby appoint the following attomey(s) and/or agent(s) to 
prosecute this application and to transact all business in the Patent and Trademark Office 
connected therewith: 

John S. Ferrell, Reg. No. 34.593; J. Eppa Hite, Reg. No^O^S; 
Gregory J. Koerner, Reg. No. Charles B. Katz, Reg. Naj^&l; 

John D. Henkhaus, Reg. No. 42,656; Susan Yee, Reg. No.. 4138; 
Robert Toczycki, Reg. No-18,341 and Aaron Wmmger, Reg. No. 45^229. 



SEND ALL CORRESPONDENCE TO: 

Aaron WminggL 
CARR&FEBKF.l ,\,LLP 
2225 EasLBa^hojg_ Road, Suite 200 
1PatoAltojCA_J430^ 
TEL: (650)812-3400 
FAX: (650)812-3444 



I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be true; and further that these 
statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States 
Code and that such willful false statements may jeopardize the validity of the application or any 
patent issued thereon. / 

I -00 

Full name of sole inventor: Lynn Spraggs 



Residence 



Inventor's signature ^X^/^/^l^^ Dated: -/MAq 



Post Office Address _ Citizenship C2e? *n <? c// 9 



